coding script

IDOR Vulnerability

coding script

IDOR Vulnerability

Mark December 2, 2021

Insecure Direct Object Reference (IDOR) is a vulnerability type related to access control, this type of vulnerability happens when an attacker is able to get access to information or an action that they should not be able to because “access control” is missing.

Query Component

As an example, there is a shopping site called “BigShop.com” and on their website, an IDOR vulnerability has been found which allows attackers to view customer information.

The attacker has found a link to bobs account information on BigShop.com …

https://BigShop.com/account?user_id=34

The attacker tries changing the “user_id=” to 33 and now has access to Jane’s account information. The attacker now has access to Janes information because access controls have not been properly implemented.

Post Variables

Forms on Websites can show fields that are vulnerable to IDOR :-

Source – https://tryhackme.com/

In the above example, an attacker could possibly change the password of another user by changing the “user_id” value to another number.

Cookies

Normally cookies use sessions id’s which are made up of long and random strings of text like 5fg2584gd64s844ffgg6464wwert46464gg46464, this is used by the webserver to securely retrieve user information by validating your session.

If a simple user_id is used in the cookie this can be manipulated by changing the value 

Source – https://tryhackme.com/